Pages

Tuesday, August 14, 2012

Trojan Banker/Password Stealer (B99A6FF84E4404488D789F5D56593735)

Yesterday, I just found one of local website has been compromised and embedded with malicious code. Once user visiting the website, by allowing the Java applet the malware will be downloaded and installed.

The picture above show you that you will be prompted to use Java plug-in to use some 'features' on this website. Lets take a look on the webpage source code. The red highlighted on the picture below is a Windows Batch command that will drop a VB Script file allowing it to download another malware (Windows executable) from Israel website. The website is also possibly has been compromised.

As we can see, the main page of the website has been embedded with extra code. At the top of it is calling the Java applet (Dantas.jar). This Java applet help to run the Windows Batch command. Below is the Java applet code.

If the Windows Batch Command successfully executed, it will save all the VBScript code into Windows temporary directory as a eden.vbs. Then, run the eden.vbs file to perform download and run the malware executable file.

At the bottom of the website also has been embedded with some scam pharma viagra hyperlink.

Now we need to take a look closer on the PE file downloaded from the following link:

The PE file is actually a SFX file. It is containing several file including certificate from the malware author.

FileName

MD5

Desc.

certadm.dll

AED39116FE12C5550975043DA1D1B244

Microsoft Certificate Services Admin

certnew.cer

2B742FEB1883EE5CB418B1CBAB145A7D

Fake Security Certificate

certutil.exe

711DB2EF10B6C2AB2080698AEC6C6D08

Cert Util.exe

givetome.exe

6D2C398E03397C9D089EDC0F00AB3FCB

http://noeld.com/programs.asp

jeovahjireh.exe

0B2BF362548B244477D9FFB613AF54D4

Malware

The only file are suspicious is 'jeovahjireh.exe'. So we need to take a look closer on this. The file is compressed with UPX 3.07. The PE file is actually some kind of Bat2Exe file binder. Inside the PE file contain Windows Batch Command.